Forwarding port eth tun0 works for one NIC, bot not otheriptables NAT/Forwarding with external ADSL router;...

Adventure Game (text based) in C++

Recruiter wants very extensive technical details about all of my previous work

What's the meaning of a knight fighting a snail in medieval book illustrations?

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

Happy pi day, everyone!

What exactly is this small puffer fish doing and how did it manage to accomplish such a feat?

Did Ender ever learn that he killed Stilson and/or Bonzo?

How should I state my peer review experience in the CV?

What is the Japanese sound word for the clinking of money?

How could an airship be repaired midflight?

Are relativity and doppler effect related?

Math equation in non italic font

Is "upgrade" the right word to use in this context?

A diagram about partial derivatives of f(x,y)

et qui - how do you really understand that kind of phraseology?

Why does overlay work only on the first tcolorbox?

Equivalents to the present tense

Custom alignment for GeoMarkers

World War I as a war of liberals against authoritarians?

As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?

Do I need to be arrogant to get ahead?

How do you talk to someone whose loved one is dying?

How are passwords stolen from companies if they only store hashes?

Describing a chess game in a novel



Forwarding port eth tun0 works for one NIC, bot not other


iptables NAT/Forwarding with external ADSL router; PCs on the network can't access the internetAllowing SSH on a server with an active OpenVPN clientConnect AWS and Azure via OpenVPNsite to site openvpn with Merlin and DD-WRTOpenVPN Access Server: Remote Subnet Cannot Access Client's ResourcesHow to get OpenVPN Client (Mikrotik RouterOS) <-> OpenVPN server (Debian/Linux) setup to workUFW blocks permitted portsubuntu allow local ip address to connect to other local machine using sshopenvpn: can't manage to control client-to-client connections with iptablesLinux: Bridging two ethernet connections together to allow second host onto first network













0















In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.



I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):



-       IP            availability to world
- 172.31.39.1/20 (ping works, forwarding works)
- 172.31.39.237/20 (ping works, forwarding doesn't work)


I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.





  • telnet can't connect to ports 80,500 from outside of NIC2, ens6's public IP.

  • ping from outside for both NICs/IPs works

  • from inside the server, i can ping -I <dev> 8.8.8.8 both with ens5 and ens6


enter image description here



Interfaces



ip a



1: lo: 
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
valid_lft 2694sec preferred_lft 2694sec
3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
valid_lft forever preferred_lft forever
4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever


/etc/netplan/50-cloud-init.yaml



network:
version: 2
ethernets:
ens5: # NIC 1 = 172.31.39.1
dhcp4: true
match:
macaddress: aa:aa:aa:aa:aa:aa
set-name: ens5


/etc/netplan/51-ens6.yaml



network:
version: 2
renderer: networkd
ethernets:
ens6: # NIC 2 = 172.31.39.237
match:
macaddress: bb:bb:bb:bb:bb:bb
dhcp4: no
addresses: [172.31.39.237/20]
routes:
- to: 0.0.0.0/0
via: 172.31.32.1
table: 1000
- to: 172.31.39.1
via: 0.0.0.0
scope: link
table: 1000
routing-policy:
- from: 172.31.39.237
table: 1000


Firewall



sysctl net.ipv4.ip_forward is set to 1.



/etc/ufw/before.rules



#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# START OPENVPN RULES
*nat
:POSTROUTING ACCEPT [0:0]


# Masquerade outgoing traffic
-A POSTROUTING -o ens5 -j MASQUERADE
-A POSTROUTING -o ens6 -j MASQUERADE
-A POSTROUTING -o tun0 -j MASQUERADE

# Allow return traffic
-A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2

-A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2

-A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
-A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2

COMMIT

# END OPENVPN RULES

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines

# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


UFW status verbose



Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
1194/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
5000/tcp ALLOW IN Anywhere
Anywhere ALLOW IN 80/tcp
Anywhere on tun0 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
5000/tcp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) ALLOW IN 80/tcp (v6)
Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)

Anywhere ALLOW OUT Anywhere on tun0
80/tcp ALLOW OUT Anywhere on eth0
10.8.0.0/24 ALLOW OUT Anywhere on ens5
Anywhere ALLOW OUT Anywhere on ens5
Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5


Routing



ip rule list



0:  from all lookup local 
0: from 172.31.39.237 lookup 1000
32766: from all lookup main
32767: from all lookup default


route -n



Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5


ip route show table all



default via 172.31.32.1 dev ens6 table 1000 proto static 
172.31.39.1 dev ens6 table 1000 proto static scope link
default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
local ::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens6 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
ff00::/8 dev ens6 table local metric 256 pref medium
ff00::/8 dev ens5 table local metric 256 pref medium
ff00::/8 dev tun0 table local metric 256 pref medium


Client config



to be short, let's assume:



iptables -I INPUT -j ACCEPT
iptables -I FORWARD -j ACCEPT
iptables -I OUTPUT -j ACCEPT


What am i missing?










share|improve this question





























    0















    In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.



    I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):



    -       IP            availability to world
    - 172.31.39.1/20 (ping works, forwarding works)
    - 172.31.39.237/20 (ping works, forwarding doesn't work)


    I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.





    • telnet can't connect to ports 80,500 from outside of NIC2, ens6's public IP.

    • ping from outside for both NICs/IPs works

    • from inside the server, i can ping -I <dev> 8.8.8.8 both with ens5 and ens6


    enter image description here



    Interfaces



    ip a



    1: lo: 
    2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
    inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
    valid_lft 2694sec preferred_lft 2694sec
    3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
    inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
    valid_lft forever preferred_lft forever
    4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
    valid_lft forever preferred_lft forever


    /etc/netplan/50-cloud-init.yaml



    network:
    version: 2
    ethernets:
    ens5: # NIC 1 = 172.31.39.1
    dhcp4: true
    match:
    macaddress: aa:aa:aa:aa:aa:aa
    set-name: ens5


    /etc/netplan/51-ens6.yaml



    network:
    version: 2
    renderer: networkd
    ethernets:
    ens6: # NIC 2 = 172.31.39.237
    match:
    macaddress: bb:bb:bb:bb:bb:bb
    dhcp4: no
    addresses: [172.31.39.237/20]
    routes:
    - to: 0.0.0.0/0
    via: 172.31.32.1
    table: 1000
    - to: 172.31.39.1
    via: 0.0.0.0
    scope: link
    table: 1000
    routing-policy:
    - from: 172.31.39.237
    table: 1000


    Firewall



    sysctl net.ipv4.ip_forward is set to 1.



    /etc/ufw/before.rules



    #
    # rules.before
    #
    # Rules that should be run before the ufw command line added rules. Custom
    # rules should be added to one of these chains:
    # ufw-before-input
    # ufw-before-output
    # ufw-before-forward
    #

    # START OPENVPN RULES
    *nat
    :POSTROUTING ACCEPT [0:0]


    # Masquerade outgoing traffic
    -A POSTROUTING -o ens5 -j MASQUERADE
    -A POSTROUTING -o ens6 -j MASQUERADE
    -A POSTROUTING -o tun0 -j MASQUERADE

    # Allow return traffic
    -A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

    -A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
    -A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2

    -A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
    -A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2

    -A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
    -A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2

    COMMIT

    # END OPENVPN RULES

    # Don't delete these required lines, otherwise there will be errors
    *filter
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    # End required lines

    # allow all on loopback
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-output -o lo -j ACCEPT

    # quickly process packets for which we already have a connection
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

    # ok icmp codes for INPUT
    -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

    # ok icmp code for FORWARD
    -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
    -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

    # allow dhcp client to work
    -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

    #
    # ufw-not-local
    #
    -A ufw-before-input -j ufw-not-local

    # if LOCAL, RETURN
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

    # if MULTICAST, RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

    # if BROADCAST, RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

    # all other non-local packets are dropped
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP

    # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

    # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
    # is uncommented)
    -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT


    UFW status verbose



    Status: active
    Logging: on (low)
    Default: deny (incoming), allow (outgoing), allow (routed)
    New profiles: skip

    To Action From
    -- ------ ----
    22/tcp ALLOW IN Anywhere
    1194/udp ALLOW IN Anywhere
    80/tcp ALLOW IN Anywhere
    5000/tcp ALLOW IN Anywhere
    Anywhere ALLOW IN 80/tcp
    Anywhere on tun0 ALLOW IN Anywhere
    22/tcp (v6) ALLOW IN Anywhere (v6)
    80/tcp (v6) ALLOW IN Anywhere (v6)
    5000/tcp (v6) ALLOW IN Anywhere (v6)
    Anywhere (v6) ALLOW IN 80/tcp (v6)
    Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)

    Anywhere ALLOW OUT Anywhere on tun0
    80/tcp ALLOW OUT Anywhere on eth0
    10.8.0.0/24 ALLOW OUT Anywhere on ens5
    Anywhere ALLOW OUT Anywhere on ens5
    Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
    80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
    Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5


    Routing



    ip rule list



    0:  from all lookup local 
    0: from 172.31.39.237 lookup 1000
    32766: from all lookup main
    32767: from all lookup default


    route -n



    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
    10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
    172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
    172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
    172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5


    ip route show table all



    default via 172.31.32.1 dev ens6 table 1000 proto static 
    172.31.39.1 dev ens6 table 1000 proto static scope link
    default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
    10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
    172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
    172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
    172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
    broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
    local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
    broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
    broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
    local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
    local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
    broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
    broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
    broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
    local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
    local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
    broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
    broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
    local ::1 dev lo proto kernel metric 256 pref medium
    fe80::/64 dev ens6 proto kernel metric 256 pref medium
    fe80::/64 dev ens5 proto kernel metric 256 pref medium
    fe80::/64 dev tun0 proto kernel metric 256 pref medium
    local ::1 dev lo table local proto kernel metric 0 pref medium
    local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
    local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
    local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
    ff00::/8 dev ens6 table local metric 256 pref medium
    ff00::/8 dev ens5 table local metric 256 pref medium
    ff00::/8 dev tun0 table local metric 256 pref medium


    Client config



    to be short, let's assume:



    iptables -I INPUT -j ACCEPT
    iptables -I FORWARD -j ACCEPT
    iptables -I OUTPUT -j ACCEPT


    What am i missing?










    share|improve this question



























      0












      0








      0








      In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.



      I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):



      -       IP            availability to world
      - 172.31.39.1/20 (ping works, forwarding works)
      - 172.31.39.237/20 (ping works, forwarding doesn't work)


      I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.





      • telnet can't connect to ports 80,500 from outside of NIC2, ens6's public IP.

      • ping from outside for both NICs/IPs works

      • from inside the server, i can ping -I <dev> 8.8.8.8 both with ens5 and ens6


      enter image description here



      Interfaces



      ip a



      1: lo: 
      2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
      link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
      inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
      valid_lft 2694sec preferred_lft 2694sec
      3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
      link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
      inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
      valid_lft forever preferred_lft forever
      4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
      link/none
      inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
      valid_lft forever preferred_lft forever


      /etc/netplan/50-cloud-init.yaml



      network:
      version: 2
      ethernets:
      ens5: # NIC 1 = 172.31.39.1
      dhcp4: true
      match:
      macaddress: aa:aa:aa:aa:aa:aa
      set-name: ens5


      /etc/netplan/51-ens6.yaml



      network:
      version: 2
      renderer: networkd
      ethernets:
      ens6: # NIC 2 = 172.31.39.237
      match:
      macaddress: bb:bb:bb:bb:bb:bb
      dhcp4: no
      addresses: [172.31.39.237/20]
      routes:
      - to: 0.0.0.0/0
      via: 172.31.32.1
      table: 1000
      - to: 172.31.39.1
      via: 0.0.0.0
      scope: link
      table: 1000
      routing-policy:
      - from: 172.31.39.237
      table: 1000


      Firewall



      sysctl net.ipv4.ip_forward is set to 1.



      /etc/ufw/before.rules



      #
      # rules.before
      #
      # Rules that should be run before the ufw command line added rules. Custom
      # rules should be added to one of these chains:
      # ufw-before-input
      # ufw-before-output
      # ufw-before-forward
      #

      # START OPENVPN RULES
      *nat
      :POSTROUTING ACCEPT [0:0]


      # Masquerade outgoing traffic
      -A POSTROUTING -o ens5 -j MASQUERADE
      -A POSTROUTING -o ens6 -j MASQUERADE
      -A POSTROUTING -o tun0 -j MASQUERADE

      # Allow return traffic
      -A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

      -A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2

      -A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2

      -A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2

      COMMIT

      # END OPENVPN RULES

      # Don't delete these required lines, otherwise there will be errors
      *filter
      :ufw-before-input - [0:0]
      :ufw-before-output - [0:0]
      :ufw-before-forward - [0:0]
      :ufw-not-local - [0:0]
      # End required lines

      # allow all on loopback
      -A ufw-before-input -i lo -j ACCEPT
      -A ufw-before-output -o lo -j ACCEPT

      # quickly process packets for which we already have a connection
      -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

      # drop INVALID packets (logs these in loglevel medium and higher)
      -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
      -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

      # ok icmp codes for INPUT
      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

      # ok icmp code for FORWARD
      -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

      # allow dhcp client to work
      -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

      #
      # ufw-not-local
      #
      -A ufw-before-input -j ufw-not-local

      # if LOCAL, RETURN
      -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

      # if MULTICAST, RETURN
      -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

      # if BROADCAST, RETURN
      -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

      # all other non-local packets are dropped
      -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
      -A ufw-not-local -j DROP

      # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
      # is uncommented)
      -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

      # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
      # is uncommented)
      -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

      # don't delete the 'COMMIT' line or these rules won't be processed
      COMMIT


      UFW status verbose



      Status: active
      Logging: on (low)
      Default: deny (incoming), allow (outgoing), allow (routed)
      New profiles: skip

      To Action From
      -- ------ ----
      22/tcp ALLOW IN Anywhere
      1194/udp ALLOW IN Anywhere
      80/tcp ALLOW IN Anywhere
      5000/tcp ALLOW IN Anywhere
      Anywhere ALLOW IN 80/tcp
      Anywhere on tun0 ALLOW IN Anywhere
      22/tcp (v6) ALLOW IN Anywhere (v6)
      80/tcp (v6) ALLOW IN Anywhere (v6)
      5000/tcp (v6) ALLOW IN Anywhere (v6)
      Anywhere (v6) ALLOW IN 80/tcp (v6)
      Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)

      Anywhere ALLOW OUT Anywhere on tun0
      80/tcp ALLOW OUT Anywhere on eth0
      10.8.0.0/24 ALLOW OUT Anywhere on ens5
      Anywhere ALLOW OUT Anywhere on ens5
      Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
      80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
      Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5


      Routing



      ip rule list



      0:  from all lookup local 
      0: from 172.31.39.237 lookup 1000
      32766: from all lookup main
      32767: from all lookup default


      route -n



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
      10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
      172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
      172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
      172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5


      ip route show table all



      default via 172.31.32.1 dev ens6 table 1000 proto static 
      172.31.39.1 dev ens6 table 1000 proto static scope link
      default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
      10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
      172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
      172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
      172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
      broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
      local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
      broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
      broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
      local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
      local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
      broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
      broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
      broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
      local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
      local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
      broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
      broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
      local ::1 dev lo proto kernel metric 256 pref medium
      fe80::/64 dev ens6 proto kernel metric 256 pref medium
      fe80::/64 dev ens5 proto kernel metric 256 pref medium
      fe80::/64 dev tun0 proto kernel metric 256 pref medium
      local ::1 dev lo table local proto kernel metric 0 pref medium
      local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
      local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
      local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
      ff00::/8 dev ens6 table local metric 256 pref medium
      ff00::/8 dev ens5 table local metric 256 pref medium
      ff00::/8 dev tun0 table local metric 256 pref medium


      Client config



      to be short, let's assume:



      iptables -I INPUT -j ACCEPT
      iptables -I FORWARD -j ACCEPT
      iptables -I OUTPUT -j ACCEPT


      What am i missing?










      share|improve this question
















      In my VPN, client with address 10.8.0.2 exposes ports 80 and 5000. I need to forward these ports on server to the client so i can access "forwarded" ports from outside of the VPN network.



      I have two EC2 NICs and their ip/subnets on the server machine (both assigned AWS Elastic IP i use):



      -       IP            availability to world
      - 172.31.39.1/20 (ping works, forwarding works)
      - 172.31.39.237/20 (ping works, forwarding doesn't work)


      I was able to forward ens5 to that client port easily. Unfortunately, ens6 only respond for ICMP requests (ping works for both IPs) from outside, but it is not usable to connect to my ports. The setup does not work as expected.





      • telnet can't connect to ports 80,500 from outside of NIC2, ens6's public IP.

      • ping from outside for both NICs/IPs works

      • from inside the server, i can ping -I <dev> 8.8.8.8 both with ens5 and ens6


      enter image description here



      Interfaces



      ip a



      1: lo: 
      2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
      link/ether aa:aa:aa:aa:aa:aa brd ff:ff:ff:ff:ff:ff
      inet 172.31.39.1/20 brd 172.31.47.255 scope global dynamic ens5
      valid_lft 2694sec preferred_lft 2694sec
      3: ens6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
      link/ether bb:bb:bb:bb:bb:bb brd ff:ff:ff:ff:ff:ff
      inet 172.31.39.237/20 brd 172.31.47.255 scope global ens6
      valid_lft forever preferred_lft forever
      4: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
      link/none
      inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
      valid_lft forever preferred_lft forever


      /etc/netplan/50-cloud-init.yaml



      network:
      version: 2
      ethernets:
      ens5: # NIC 1 = 172.31.39.1
      dhcp4: true
      match:
      macaddress: aa:aa:aa:aa:aa:aa
      set-name: ens5


      /etc/netplan/51-ens6.yaml



      network:
      version: 2
      renderer: networkd
      ethernets:
      ens6: # NIC 2 = 172.31.39.237
      match:
      macaddress: bb:bb:bb:bb:bb:bb
      dhcp4: no
      addresses: [172.31.39.237/20]
      routes:
      - to: 0.0.0.0/0
      via: 172.31.32.1
      table: 1000
      - to: 172.31.39.1
      via: 0.0.0.0
      scope: link
      table: 1000
      routing-policy:
      - from: 172.31.39.237
      table: 1000


      Firewall



      sysctl net.ipv4.ip_forward is set to 1.



      /etc/ufw/before.rules



      #
      # rules.before
      #
      # Rules that should be run before the ufw command line added rules. Custom
      # rules should be added to one of these chains:
      # ufw-before-input
      # ufw-before-output
      # ufw-before-forward
      #

      # START OPENVPN RULES
      *nat
      :POSTROUTING ACCEPT [0:0]


      # Masquerade outgoing traffic
      -A POSTROUTING -o ens5 -j MASQUERADE
      -A POSTROUTING -o ens6 -j MASQUERADE
      -A POSTROUTING -o tun0 -j MASQUERADE

      # Allow return traffic
      -A INPUT -i ens5 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i ens6 -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

      -A PREROUTING -i ens5 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 80 -j DNAT --to-destination 10.8.0.2

      -A PREROUTING -i ens5 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 443 -j DNAT --to-destination 10.8.0.2

      -A PREROUTING -i ens5 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2
      -A PREROUTING -i ens6 -p tcp --dport 5000 -j DNAT --to-destination 10.8.0.2

      COMMIT

      # END OPENVPN RULES

      # Don't delete these required lines, otherwise there will be errors
      *filter
      :ufw-before-input - [0:0]
      :ufw-before-output - [0:0]
      :ufw-before-forward - [0:0]
      :ufw-not-local - [0:0]
      # End required lines

      # allow all on loopback
      -A ufw-before-input -i lo -j ACCEPT
      -A ufw-before-output -o lo -j ACCEPT

      # quickly process packets for which we already have a connection
      -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

      # drop INVALID packets (logs these in loglevel medium and higher)
      -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
      -A ufw-before-input -m conntrack --ctstate INVALID -j DROP

      # ok icmp codes for INPUT
      -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

      # ok icmp code for FORWARD
      -A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
      -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

      # allow dhcp client to work
      -A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

      #
      # ufw-not-local
      #
      -A ufw-before-input -j ufw-not-local

      # if LOCAL, RETURN
      -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

      # if MULTICAST, RETURN
      -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

      # if BROADCAST, RETURN
      -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

      # all other non-local packets are dropped
      -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
      -A ufw-not-local -j DROP

      # allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
      # is uncommented)
      -A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

      # allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
      # is uncommented)
      -A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

      # don't delete the 'COMMIT' line or these rules won't be processed
      COMMIT


      UFW status verbose



      Status: active
      Logging: on (low)
      Default: deny (incoming), allow (outgoing), allow (routed)
      New profiles: skip

      To Action From
      -- ------ ----
      22/tcp ALLOW IN Anywhere
      1194/udp ALLOW IN Anywhere
      80/tcp ALLOW IN Anywhere
      5000/tcp ALLOW IN Anywhere
      Anywhere ALLOW IN 80/tcp
      Anywhere on tun0 ALLOW IN Anywhere
      22/tcp (v6) ALLOW IN Anywhere (v6)
      80/tcp (v6) ALLOW IN Anywhere (v6)
      5000/tcp (v6) ALLOW IN Anywhere (v6)
      Anywhere (v6) ALLOW IN 80/tcp (v6)
      Anywhere (v6) on tun0 ALLOW IN Anywhere (v6)

      Anywhere ALLOW OUT Anywhere on tun0
      80/tcp ALLOW OUT Anywhere on eth0
      10.8.0.0/24 ALLOW OUT Anywhere on ens5
      Anywhere ALLOW OUT Anywhere on ens5
      Anywhere (v6) ALLOW OUT Anywhere (v6) on tun0
      80/tcp (v6) ALLOW OUT Anywhere (v6) on eth0
      Anywhere (v6) ALLOW OUT Anywhere (v6) on ens5


      Routing



      ip rule list



      0:  from all lookup local 
      0: from 172.31.39.237 lookup 1000
      32766: from all lookup main
      32767: from all lookup default


      route -n



      Kernel IP routing table
      Destination Gateway Genmask Flags Metric Ref Use Iface
      0.0.0.0 172.31.32.1 0.0.0.0 UG 100 0 0 ens5
      10.8.0.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0
      172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens6
      172.31.32.0 0.0.0.0 255.255.240.0 U 0 0 0 ens5
      172.31.32.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens5


      ip route show table all



      default via 172.31.32.1 dev ens6 table 1000 proto static 
      172.31.39.1 dev ens6 table 1000 proto static scope link
      default via 172.31.32.1 dev ens5 proto dhcp src 172.31.39.1 metric 100
      10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
      172.31.32.0/20 dev ens6 proto kernel scope link src 172.31.39.237
      172.31.32.0/20 dev ens5 proto kernel scope link src 172.31.39.1
      172.31.32.1 dev ens5 proto dhcp scope link src 172.31.39.1 metric 100
      broadcast 10.8.0.0 dev tun0 table local proto kernel scope link src 10.8.0.1
      local 10.8.0.1 dev tun0 table local proto kernel scope host src 10.8.0.1
      broadcast 10.8.0.255 dev tun0 table local proto kernel scope link src 10.8.0.1
      broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
      local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
      local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
      broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
      broadcast 172.31.32.0 dev ens6 table local proto kernel scope link src 172.31.39.237
      broadcast 172.31.32.0 dev ens5 table local proto kernel scope link src 172.31.39.1
      local 172.31.39.1 dev ens5 table local proto kernel scope host src 172.31.39.1
      local 172.31.39.237 dev ens6 table local proto kernel scope host src 172.31.39.237
      broadcast 172.31.47.255 dev ens6 table local proto kernel scope link src 172.31.39.237
      broadcast 172.31.47.255 dev ens5 table local proto kernel scope link src 172.31.39.1
      local ::1 dev lo proto kernel metric 256 pref medium
      fe80::/64 dev ens6 proto kernel metric 256 pref medium
      fe80::/64 dev ens5 proto kernel metric 256 pref medium
      fe80::/64 dev tun0 proto kernel metric 256 pref medium
      local ::1 dev lo table local proto kernel metric 0 pref medium
      local fe80::88f:a9ff:fe75:11f2 dev ens6 table local proto kernel metric 0 pref medium
      local fe80::894:3dff:fe41:89b4 dev ens5 table local proto kernel metric 0 pref medium
      local fe80::7507:4098:a74d:65f8 dev tun0 table local proto kernel metric 0 pref medium
      ff00::/8 dev ens6 table local metric 256 pref medium
      ff00::/8 dev ens5 table local metric 256 pref medium
      ff00::/8 dev tun0 table local metric 256 pref medium


      Client config



      to be short, let's assume:



      iptables -I INPUT -j ACCEPT
      iptables -I FORWARD -j ACCEPT
      iptables -I OUTPUT -j ACCEPT


      What am i missing?







      ubuntu openvpn ufw ubuntu-18.04 netplan






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited 4 mins ago







      Croll

















      asked yesterday









      CrollCroll

      3412




      3412






















          0






          active

          oldest

          votes











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "2"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2fforwarding-port-eth-tun0-works-for-one-nic-bot-not-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Server Fault!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f958428%2fforwarding-port-eth-tun0-works-for-one-nic-bot-not-other%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Фонтен-ла-Гаярд Зміст Демографія | Економіка | Посилання |...

          Список ссавців Італії Природоохоронні статуси | Список |...

          Маріан Котлеба Зміст Життєпис | Політичні погляди |...